Inferensys

Glossary

SecNumCloud

A French cybersecurity certification framework for cloud service providers, designed to guarantee a high level of protection and sovereignty for sensitive government and commercial data.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
FRENCH SOVEREIGN CLOUD CERTIFICATION

What is SecNumCloud?

A rigorous cybersecurity qualification framework established by the French National Cybersecurity Agency (ANSSI) to certify cloud service providers for hosting sensitive government and commercial data.

SecNumCloud is a French cybersecurity certification framework developed by ANSSI that defines a comprehensive set of technical, operational, and legal requirements for cloud service providers. It mandates strict data localization, ensuring all data and metadata remains within the European Union and is protected from foreign extraterritorial laws such as the U.S. CLOUD Act. The framework enforces hardware-level isolation and requires providers to implement zero-trust architectures with continuous verification of every access request.

The certification process involves a mandatory third-party audit against the SecNumCloud reference framework, which covers supply chain security, cryptographic key management, and vulnerability handling. A core requirement is immunity from non-EU law, meaning the cloud operator must demonstrate legal and technical guarantees that prevent foreign administrative access. This makes SecNumCloud the benchmark for sovereign cloud architectures in France, directly addressing the compliance needs of government CTOs and organizations handling sensitive commercial data under GDPR and NIS2 directives.

FRENCH SOVEREIGN CLOUD CERTIFICATION

Core Requirements of SecNumCloud

SecNumCloud is a cybersecurity certification framework established by France's Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). It defines a rigorous set of technical, operational, and legal requirements for cloud service providers to guarantee a high level of protection and sovereignty for sensitive government and commercial data.

01

Jurisdictional Immunity from Extraterritorial Law

The foundational requirement of SecNumCloud is immunity from non-EU extraterritorial legislation, such as the U.S. CLOUD Act. Certified providers must demonstrate that their corporate structure, operational headquarters, and data processing activities are exclusively governed by EU and French law. This ensures that no foreign authority can legally compel the provider to grant access to hosted data.

  • Corporate Ownership: The provider must be headquartered in an EU member state with no foreign controlling interests.
  • Operational Sovereignty: All administrative and commercial operations managing the service must be located within the EU.
  • Data Localization: All data at rest, in transit, and during processing must remain within EU borders.
EU-Only
Legal Jurisdiction
02

ANSSI-Qualified Cryptographic Controls

SecNumCloud mandates the use of state-sanctioned cryptographic modules to protect data confidentiality. Encryption keys must be generated, stored, and managed within a sovereign boundary using hardware security modules (HSMs) that hold an ANSSI qualification. This prevents the cloud provider or any foreign entity from accessing plaintext data.

  • Key Management: Requires Hold Your Own Key (HYOK) architectures where the client retains exclusive control.
  • Algorithmic Compliance: Mandates the use of ANSSI-approved ciphers and key lengths, often exceeding generic industry standards.
  • Physical Security: HSMs must be hosted in certified data centers within France, under the exclusive control of EU citizens.
ANSSI-Qualified
Crypto Standard
03

Continuous Vulnerability Detection and Incident Response

Certified providers must implement a Security Information and Event Management (SIEM) system that continuously monitors the entire infrastructure for threats. They are contractually obligated to notify ANSSI and affected clients of any security incident within a defined, legally binding timeframe. This ensures a proactive, state-integrated defense posture.

  • Active Monitoring: 24/7 surveillance of networks, systems, and applications for anomalous behavior.
  • Mandatory Reporting: Legally enforced timelines for reporting data breaches to the national authority.
  • Penetration Testing: Regular, independent security audits and intrusion tests are required to maintain certification.
24/7
Monitoring Cadence
04

SecNumCloud 3.2 Enhanced Protection Levels

The latest version of the framework introduces differentiated protection levels to address varying data sensitivity. The standard level covers sensitive commercial data, while the 'Advanced' level adds hardware-based confidential computing and memory encryption to protect against privileged insider threats and host-level vulnerabilities.

  • Standard Level: Logical isolation, ANSSI-qualified encryption, and EU jurisdictional control.
  • Advanced Level: Adds Trusted Execution Environments (TEEs) to encrypt data in use, isolating it from the cloud provider's own administrators.
  • Migration Path: Provides a clear technical roadmap for organizations to escalate their security posture as threats evolve.
v3.2
Current Framework
05

Qualified Personnel and Supply Chain Integrity

SecNumCloud extends its security requirements to the human element and the software supply chain. All personnel with administrative access to the infrastructure must undergo ANSSI-approved security clearance. Furthermore, providers must maintain a verified Software Bill of Materials (SBOM) to guarantee the provenance and integrity of every software component used in the service.

  • Personnel Vetting: EU-citizen-only staffing with mandatory security clearances for privileged roles.
  • Supply Chain Transparency: Full traceability of all third-party libraries and dependencies to prevent supply chain attacks.
  • Operational Integrity: Strict segregation of duties to ensure no single individual can compromise data sovereignty.
EU-Citizen
Personnel Requirement
SECNUMCLOUD EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about France's premier cloud security framework, designed for CTOs, compliance officers, and cloud architects evaluating sovereign infrastructure options.

SecNumCloud is a cybersecurity certification framework issued by the Agence nationale de la sécurité des systèmes d'information (ANSSI), France's national cybersecurity agency. It defines a rigorous set of technical, operational, and legal requirements that cloud service providers must meet to guarantee a high level of protection for sensitive data. The framework operates by auditing providers against a comprehensive referential that covers data localization, external administrative access controls, encryption standards, and supply chain security. A key mechanism is the requirement that the cloud provider's data processing and administrative operations must be shielded from non-European laws, specifically the U.S. CLOUD Act. Certification is granted only after a successful audit by an ANSSI-accredited third-party evaluator, and it must be maintained through continuous monitoring. The framework categorizes services into different qualification levels, with the 'SecNumCloud' label being the most stringent, ensuring that the provider's infrastructure, personnel, and legal structure are fully sovereign and immune to extraterritorial jurisdictional reach.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.